Wildcard SSL certificate for several subdomains on same IP Address

veronicabend

Well-Known Member
Feb 25, 2005
76
2
158
Hello!

Is it possible to purchase a certificate for *.domain.com, install it on server for this domain which is on its own ip address, and have the certificate work for all subdomains on that same IP? Will it protect www.domain.com and also a.domain.com and b.domain.com ? In a way that if you access https://b.domain.com it works without redirecting to https://www.domain.com?

I would like to know if this is possible, and how I should set up SSL for it to work.

Thanks.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,254
463
Hello :)

Yes, but keep in mind that you will need to manually install the same certificate for each subdomain.

Thank you.
 

swbrains

Well-Known Member
Sep 13, 2006
267
37
178
Hello cPanelMichael,

I'm also looking into installing a wildcard SSL cert on my cPanel server (Centos 7). I would like to install that wildcard cert once and have it work for all subdomains under my main domain. I was also told by a server admin that it needed to be installed manually for each subdomain, but reading the following thread in which you responded:
Wildcard SSL certificate on wildcard subdomain (reference your reply to user "vanessa")
it sounds like it may be possible to create a wildcard DNS entry for "*" in my main domain's DNS and install the wildcard cert once to cover all subdomains.

Can you clarify if this is indeed possible, and if so, provide additional detail regarding the specific installation steps necessary to have a *single installation* of a wildcard cert work for all current and future subdomains of the main domain?
Thanks!
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,254
463
Wildcard SSL certificate on wildcard subdomain (reference your reply to user "vanessa")
it sounds like it may be possible to create a wildcard DNS entry for "*" in my main domain's DNS and install the wildcard cert once to cover all subdomains.

Can you clarify if this is indeed possible, and if so, provide additional detail regarding the specific installation steps necessary to have a *single installation* of a wildcard cert work for all current and future subdomains of the main domain?
This is in reference to a wildcard SSL certificate with a wildcard subdomain. Typically, wildcard subdomains are used to direct requests to any subdomain associated with a domain name to a single location. Thus, if you wanted individual subdomains with their own content, you would have to install the wildcard certificate on each individual subdomain.

Note that you may find interest in the AutoSSL feature in cPanel 58 as an alternative to this, as it installs certificates for subdomains as well:

Manage AutoSSL - Documentation - cPanel Documentation

Thank you.
 

swbrains

Well-Known Member
Sep 13, 2006
267
37
178
AutoSSL looks very intriguing, but now I have some additional questions about this feature:

From what I read, it seems that it will only automatically install a new SSL cert if there is already an expiring one on that account, correct? If this is not the case, will AutoSSL actually generate/install a new SSL cert for all accounts (up to it's limits) after it is enabled, even accounts that don't currently have an SSL cert installed on them?

It appears there are limits (200 for cPanel-provided certs) to the number of domains that can be provided with a free certificate. What about 300 subdomains using the same wildcard cert? Would that count as one cert or is it based on the number of installations?
Is there an option to tell AutoSSL to use a single wildcard cert for all subdomain accounts rather than to generate a new cert?
What if I already have a valid wildcard cert? Can AutoSSL use that to avoid hitting its limit?

Are the free certs from cPanel/AutoSSL "self-signed" or will they be natively recognized by most major browsers?

Thanks!
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,254
463
From what I read, it seems that it will only automatically install a new SSL cert if there is already an expiring one on that account, correct? If this is not the case, will AutoSSL actually generate/install a new SSL cert for all accounts (up to it's limits) after it is enabled, even accounts that don't currently have an SSL cert installed on them?
It will in-fact attempt to install a certificate on domain names without existing SSL certificates. It will not attempt to replace pre-existing valid certificates that expire in more than three days.

It appears there are limits (200 for cPanel-provided certs) to the number of domains that can be provided with a free certificate. What about 300 subdomains using the same wildcard cert? Would that count as one cert or is it based on the number of installations?
AutoSSL does not utilize wildcard SSL certificates. Domain names that use valid existing SSL certificates (including wildcard SSL certificates) are automatically skipped and not counted towards the limit.

Is there an option to tell AutoSSL to use a single wildcard cert for all subdomain accounts rather than to generate a new cert?
What if I already have a valid wildcard cert? Can AutoSSL use that to avoid hitting its limit?
AutoSSL will not issue wildcard SSL certificates.

Are the free certs from cPanel/AutoSSL "self-signed" or will they be natively recognized by most major browsers?
These are signed certificates that major browsers will recognize.

Thank you.
 

swbrains

Well-Known Member
Sep 13, 2006
267
37
178
Thanks for the quick and thorough response! I guess my use case (600+ accounts with about 400+ using subdomains (rather than registered domains) for their account, I would have trouble if I enabled it as it would hit its limit due to trying to install all the subdomains from new, individually-generated certs for each one.

So even though AutoSSL won't issue a new wildcard cert, is there a way to have it use the valid wildcard cert I already installed on one of my subdomains (to test it)?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,254
463
So even though AutoSSL won't issue a new wildcard cert, is there a way to have it use the valid wildcard cert I already installed on one of my subdomains (to test it)?
There's no native option to have it issue your own custom wildcard certificate for each subdomain under the account at this time. However, the following document explains how to install a SSL certificate via the command line using WHM API 1:

https://documentation.cpanel.net/display/SDK/WHM+API+1+Functions+-+installssl

You could develop a custom script that installs the certificate for multiple subdomains using this API function if you are comfortable doing so.

Thank you.
 

swbrains

Well-Known Member
Sep 13, 2006
267
37
178
Thanks. I have written cPanel API code before so I could generate a script that installs my cert on the subdomain accounts initially.

But I imagine I'll still run into trouble when it expires, as AutoSSL will generate a new cert for the first 200 subdomains and then stop updating, leaving me with some accounts up to date, and others expired, with potentially no easy way to determine quickly which ones were not updated successfully due to the limit.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,254
463
But I imagine I'll still run into trouble when it expires, as AutoSSL will generate a new cert for the first 200 subdomains and then stop updating, leaving me with some accounts up to date, and others expired, with potentially no easy way to determine quickly which ones were not updated successfully due to the limit.
You can disable the AutoSSL feature on an account to prevent this from happening via:

"WHM Home » SSL/TLS » Manage AutoSSL >> Manage Users"

Thank you.